The present invention relates to security of a computer connected to a network system and particularly to a method of constituting a network system which executes access control and relays communications of applications through mutual cooperation of fire walls.
As a method of preventing invasion into a computer through a network, a repeater (fire wall) has been proposed to give restriction to the access from outside.
A typical fire wall has a function, as is described xe2x80x9cComputer Security Resource Clearinghousexe2x80x9d of NIST (National Institute of Standards and Technology), to control the accesses depending on IP (Internet Protocol) addresses of the transmitting side and receiving side and kinds of services and to the store access record.
Moreover, as a repeater for repeating communication between a client and a server, there is provided socks V5 proposed by RFC1928 in the environment where fire walls exists. In the socks, mutual identification between the client and the repeating server and socks protocol for realizing connection instruction for the repeating server are defined and thereby communication between the client and the server having passed one fire wall can be realized.
Moreover, there is a gateway protocol such as RIP (Routing Information Protocol: RFC 1058), OSPF (Open Shortest Path First: RFC 1131), etc. as a mechanism to realize dynamic exchange of repeating route information in the IP layer.
With rapid development of Internet system, a person can get various kinds of information generated in the world on the real-time basis but, on the other hand, a person is in turn threatened to external invasion. As effective measures for such external invasion, it has been proposed to (1) give limitation on IP address for making access to each service and to (2) provide a gateway (fire wall in narrow sense) to store the access record. Use of such fire wall in narrow sense has enabled reduction of threat for an external invader by acquiring matching property of the operating environment of the gateway itself and localizing the range of control by an administrator.
However, in the case of executing the access control utilizing the technique of the related art, since the access control object is based on the information incorporated to a computer such as class of service and IP address, there is a problem that the access control based on users cannot be realized. For example, desired access control becomes impossible for the computer to which the IP address is assigned dynamically and class of service is limited to particular users.
Moreover, in private network utilizing the Internet, a fire wall plays a very important role for security and an internal fire wall is increasingly installed in the private network in order to protect the sub-network. There are several problems to be solved for the communication in the environment where a plurality of fire walls exist. For example, when the communication having passed the internal fire wall for protecting the sub-network is to be attempted from a computer of an external network, the communication must be repeated between the external fire wall and the internal fire wall.
However, since the routing information for the internal fire wall provided for repeating is concealed to the external network, such routing information must be obtained with a certain method. FIG. 1 shows an example of the problem explained above. When a client ex101 attempts to make communication with a server accommodated in the network ex106 of A corporation, an external fire wall ex102 repeats the communication. Since the external fire wall ex102 can obtain the routing information to the server ex104 for communication with the server ex104 in the network ex106 of A corporation, communication can be repeated. However, since the server ex105 is concealed by the internal fire wall ex103 for the communication with the server ex105 accommodated in the sub-network ex107, the external fire wall ex102 cannot obtain the routing information to the server ex105 and thereby this communication cannot be repeated.
Moreover, in the case of the communication between two networks connected through the external network, this communication cannot be realized between respective internal fire walls, unless the routing information for identifying the internal fire wall is set for the external fire wall.
FIG. 2 shows an example of the problem explained above. A client ex201 accommodated in the network ex210 is capable of making communication with a server ex202 in the network ex211 by registering the fire wall ex206 as the route to the server ex202 in the fire wall ex205. However, when a server ex204 is provided in the internal sub-network ex214 of the network ex213, since the route is concealed by the fire wall ex208, the internal fire wall ex209 cannot be registered in the fire wall ex207.
It is therefore an object of the present invention to provide a large scale network system which enables communications having passed the fire wall and repeaters (fire walls) used in the same network by solving the problems explained above and offering a means for exchanging the repeating route information among a plurality of repeaters (fire walls).
Moreover, it is also an object of the present invention to provide a network system which enhances security and assures higher operation flexibility and repeaters used therein through the access control based on the computer users and applications.
The objects explained above will be achieved using following means.
(1) Access control based on computer users and applications
Executing access control as an object of access control on the basis of computer users and applications
(2) Identification of computer users and applications
Identifying, for executing access control, that the communication is requested by a person who has issued the request.
(3) Data transfer in the repeaters having the access control function
Providing transparency of communication in the communication between computers having the access control functions
The data transfer by the repeaters can be realized by providing, in the repeater, a repeating route control table storing correspondence between the address of the transmitting side computer and the address of the repeater provided to transfer the data to such address and executing the processing to select, from the data repeating route control table, the repeater provided in the course of the route to the target computer in the receiving side to enable the communication from the computer of the transmitting side and the processing to connect the repeating program of the repeater identified by the processing explained above to request the repeating of communication with the receiving side to the repeater.